Fake Microsoft Entra Passkey Phishing Targets M365 Users
Attackers use voice-based social engineering to trick users into enrolling fake passkeys. This grants unauthorized access to Microsoft 365 accounts for data extortion.
TL;DR
- Threat group O-UNC-066 uses fake Microsoft Entra passkey enrollment to compromise M365 accounts
- Voice-based phishing prompts users to enroll malicious passkeys via a panel-controlled kit
- Attack enables unauthorized access leading to potential data extortion
- Organizations across multiple sectors have been targeted
- Security teams should educate users on verifying authentication requests
A sophisticated phishing campaign is targeting Microsoft 365 users by mimicking legitimate security procedures. Threat actors are using voice-based social engineering techniques to convince victims to enroll fake passkeys through Microsoft Entra, potentially granting attackers full access to corporate accounts.
Security researchers at Okta have identified this emerging threat vector, which leverages user trust in official-looking authentication processes. The attack demonstrates how social engineering continues to evolve alongside new authentication technologies, creating novel pathways for account compromise.
Attack Methodology
- O-UNC-066 deploys a panel-controlled phishing kit specifically designed to target passkey enrollment workflows
- Attackers initiate voice calls to Microsoft 365 users, posing as IT security personnel
- Victims are directed to enroll what they believe is a legitimate Microsoft Entra passkey
- The fake enrollment process captures authentication credentials and grants attacker access
- Compromised accounts are used for data access and potential extortion activities
Security Implications
- This attack exploits user trust in multi-factor authentication setup processes
- Voice-based social engineering bypasses traditional email-based phishing detection
- Organizations using Microsoft Entra ID and passkey authentication are potentially vulnerable
- Traditional security awareness training may not cover these advanced social engineering tactics
- Incident response teams should monitor for unusual passkey enrollment activities
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.